More here:
Open-source code is everywhere; GitHub expands security tools to help …
Check out all the on-demand sessions from the Intelligent Security Summit here.
Whether directly or indirectly, nearly all organizations depend on software created by the open-source community. In fact, an incredible 97% of applications incorporate open-source code, and 90% of organizations say they are using it in some way.
Still, as evidenced by Log4j and the SUNBURST/SolarWinds attack (and many others), open source can be rife with security vulnerabilities. According to Gartner, 89% of companies experienced a supplier risk event in the past five years, and Argon Security reports that software supply chain attacks grew by more than 300% between 2020 and 2021.
The work of the open-source community is used in almost every software product, so securing it and protecting the community has a big impact, said Mariam Sulakian, senior product manager at GitHub. Vulnerabilities in open-source code can have a global ripple effect across the millions of people and services that rely on it.
The leading hosting service offers several capabilities to help address this problem, and today announced expansions to two of them: GitHubs secret scanning alerts are now available for free on all public repositories, and its push protection feature is now offered for custom secret patterns. Both capabilities are now in public beta.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
As the largest open-source community in the world, GitHub is always working to make using and contributing to open source easier, said Sulakian. We give away our most advanced security tools for free on public repositories to help keep open source secure, and to keep those building it safe.
Exposed secrets and credentials are the most common cause of data breaches, as they often go untracked. And, they can take an average of 327 days to identify.
Malicious actors often target leaked secrets and credentials as starting points for larger attacks, like ransomware and phishing campaigns, said Sulakian.
And, GitHub partners with more than 100 service providers to quickly remediate many exposed secrets through its secret scanning partner program.
For instance, in 2022, the hosting service has detected and notified on more than 1.7 million exposed secrets across public repositories. Breaking that down to daily numbers, GitHub finds more than 4,500 potential secrets leaked in public repositories.
Now, GitHub will empower open-source developers with these alerts too, and for free. Once enabled, GitHub directly notifies developers of leaked secrets in code. This enables them to easily track alerts, identify the leaks source, and take action.For example, a user can receive an alert and track remediation for a leaked self-hosted HashiCorp Vault key, said Sulakian.
Secret scanning for public repositories will help millions of developers avoid exposing their credentials and passwords by accident, she said.
The gradual public beta rollout of secret scanning for public repositories began today and the feature should be available to all users by the end of January 2023.
With secret scanning, we found a ton of important things to address, said David Ross, staff security engineer with Postmates. On the appsec side, its often the best way for us to get visibility into issues in the code.
Similarly, businesses often have their own unique set of secrets that they want to detect when exposed and protect before exposure, Sulakian explained.
With custom patterns, organizations scan for passwords in connection strings, private keys, and URLs that have embedded credentials (among other instances) across thousands of their repositories.
But remediation takes time and significant resources, said Sulakian.
To address this problem, GitHub introduced push protection to GitHub Advanced Security (GHAS) customers in April 2022. This capability seeks to proactively prevent leaks by scanning for secrets before they are committed.
In the eight months since that release, GitHub has prevented more than 8,000 secret leaks across 100 secret types, said Sulakian. With the enhanced capabilities announced today, organizations with GHAS have additional coverage for what are often their most important secret patterns: Those customized and defined internally to their organizations.
With push protection, businesses can prevent accidental leaks of the most critical secrets, said Sulakian.
Push protection for custom patterns can be configured on a pattern-by-pattern basis at the organization or repository level, Sulakian explained. With the capability enabled, GitHub will enforce blocks when contributors try to push code that contains matches to the defined pattern. Organizations can decide what patterns to push-protect based on false positives.
Integrating this capability into a developers flow saves time and helps educate on best practices, said David Florey, software engineering director at Intel.
If I attempt to push a secret, I immediately know it, he said.
The GitHub tool stops him before a secret is pushed into the codebase, he said; whereas, if he relied solely on external scanning tools to scan the repository after the secrets already been exposed, Ill need to quickly revoke the secret and refactor my code.
With threat actors increasingly targeting leaked secrets and credentials, GitHub customers are investing more resources to secure their growingly complex software supply chain, said Sulakian.
Organizations constantly seek to detect and fix vulnerabilities earlier in the software lifecycle to improve overall security, save costs related to reactive work by appsec teams, and minimize damage, said Sulakian.
GitHub helps application security teams rapidly identify and remediate the vulnerabilities in users code, she said. The company has developed its tools, many of them free, to integrate directly into developer workflows to enable more secure, faster coding. Recently, it also introduced private vulnerability reporting to help organizations easily disclose vulnerabilities and communicate with maintainers.
Our philosophy is to make all our advanced security features available for free on public repositories, said Sulakian.
Ultimately, she maintained, as the home for open source and 94-plus million developers, GitHub can advance the state of software security more than any other team or platform.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
Read the original post:
Open-source code is everywhere; GitHub expands security tools to help ...
Security Of Enterprise Code: What Companies Using Open-Source Software Should Know About Binary Code Verification – Forbes
Morris: Internal Twitter Deliberations on Laptop from Hell Censorship …
Internal Twitter deliberations surrounding the censorship of the New York Posts reporting on Hunter Bidens laptop from hell reveal the companys management engaging in willful ignorance of the facts of the story in order to justify censoring it on the platform.
Matt Taibbi, the journalist tasked by Elon Musk to reveal the internal communications, explains that Twitter management at the time used the companys hacked materials policy as an excuse to squelch the Posts reporting, but knew it wasnt going to hold. The reason it wasnt going to hold was because the Post explained that the reporting was based on a hard drive abandoned at a computer repair shop, not hacked material, and produced a federal subpoena given to the repair-shop owner to bolster the claim.
Jack Dorsey and Twitter employees (@Jack/Twitter)
Twitter Exec Vijaya Gadde (Fortune Brainstorm TECH/Flickr)
Former Trust and Safety chief Yoel Roth messaged colleagueVijaya Gadde, The policy basis is hacked materials though, as discussed, this is an emerging situation where the facts remain unclear. Given the SEVERE risks here and lessons of 2016, were erring on the side of including a warning and preventing this content from being amplified.
Another member of management, Brandon Borrman, then asks, Can we truthfully claim that this is part of the policy?
Jim Baker, Twitters then-Deputy Legal Counsel and former senior member of the FBI, adds, [We] need more facts to assess whether the materials were hacked. At this stage, however, it is reasonable for us to assume that they may have been and that conclusion is warranted.
Baker then admits, per the Posts reporting in the story in question, that there is evidence indicating that the computer was either abandoned and/or the owner consented to allow the repair shop to access it for at least some purposes.
But during the time this communication was underway, Twitter did not contact the New York Post to inquire about whether the reporting was based on hacked material, and the story in question explained exactly how the Post obtained the material it was reporting on.
In the story headlined, Smoking-gun email reveals how Hunter Biden introduced Ukrainian businessman to VP dad, published on October 14, 2020, it says that the correspondence between Burisma board memberVadym Pozharskyi and Hunter was contained in a massive trove of data recovered from a laptop computer.
The Post published that it had the entire hard drive, which was originally obtained by a computer repair shop in Delaware.
The computer was dropped off at a repair shop in Bidens home state of Delaware in April 2019, according to the stores owner, the Post wrote in the initial story.
The customer who brought in the water-damaged MacBook Pro for repair never paid for the service or retrieved it or a hard drive on which its contents were stored, according to the shop owner, who said he tried repeatedly to contact the client.
The shop owner couldnt positively identify the customer as Hunter Biden, but said the laptop bore a sticker from the Beau Biden Foundation, named after Hunters late brother and former Delaware attorney general.
Photos of a Delaware federal subpoena given to The Post show that both the computer and hard drive were seized by the FBI in December, after the shops owner says he alerted the feds to their existence.
But before turning over the gear, the shop owner says, he made a copy of the hard drive and later gave it to former Mayor Rudy Giulianis lawyer, Robert Costello.
Steve Bannon, former adviser to President Trump, told The Post about the existence of the hard drive in late September and Giuliani provided The Post with a copy of it on Sunday.
The Post also published an image of a federal subpoena, showing the computer was in the FBIs possession, after being turned in by the computer repair shop owner, who has now been publicly identified as John Paul Mac Isaac.
Emma-Jo Morris is the Politics Editor at Breitbart News. Email her atejmorris@breitbart.comor follow heronTwitter.
More here:
Morris: Internal Twitter Deliberations on Laptop from Hell Censorship ...
New Zealand admits it has direct access to Facebook takedown portal …
New Zealand’s government has officially admitted that it has partner access to Facebook’s controversial content takedown portal.
This portal is designed specifically for government agencies to flag content to Facebook for censorship. According to The Intercept, which reported on the portal in October, government partners can also use the portal to report disinformation directly to Facebook.
And in a recent response to a New Zealand Official Information Act (OIA) request, which asked whether the government has partner access to Facebook’s takedown portal, the New Zealand government confirmed that the Department of Internal Affairs has access. While this was the only government department that was confirmed to have access to the portal, the OIA response also said we cannot advise if any other government agency has access to the takedown portal.
We obtained a copy of the OIA response for you here.
The OIA response didn’t detail how much content had been censored via this Facebook takedown portal. However, other reports on similar types of backdoor content takedown arrangements between governments and Big Tech have shown that governments regularly use them to target legal content such as parody accounts, accounts questioning the effectiveness of Covid vaccines, and so-called election misinformation.
Publicly, the New Zealand government has endorsed the censorship of legal content with Prime Minister Jacinda Ardern saying disinformation should be regulated like guns, bombs, and nuclear weapons. Big Tech companies have also agreed to a censorship pact in the country where they suppress misinformation and harmful content.
Most other governments haven’t admitted that they have access to these portals. However, last year The White House did admit that the United States (US) Surgeon General’s Office is flagging posts for Facebook to censor.
The Intercept’s report on this Facebook content takedown portal claimed that several other United States (US) government agencies have access to the portal, including the Department of Homeland Security (DHS).
Documents released as part of 2021 lawsuits suggest that the California Secretary of States Office of Elections Cybersecurity (OEC) also has access to the Facebook takedown portal and a similar type of portal on Twitter.
See the original post here:
New Zealand admits it has direct access to Facebook takedown portal ...
Trump Vows To Dismantle Censorship Cartel If Hes Re-ElectedAn Apparent Nod To Musks Twitter Files Release – Forbes
Relationship between writer and society should not be one of censorship, says Geetanjali Shree – The Hindu
NSA files decoded: Edward Snowden’s surveillance revelations explained …
Two factors opened the way for the rapid expansion of surveillance over the past decade: the fear of terrorism created by the 9/11 attacks and the digital revolution that led to an explosion in cell phone and internet use.
But along with these technologies came an extension in the NSAs reach few in the early 1990s could have imagined. Details that in the past might have remained private were suddenly there for the taking.
Chris Soghoian
NSA is helped by the fact that much of the worlds communications traffic passes through the US or its close ally the UK what the agencies refer to as home-field advantage. The NSA has its own cable-intercept programs tapping traffic flowing into and across the US. These operate mainly under four codenames BLARNEY, FAIRVIEW, OAKSTAR and STORMBREW and are collectively known as Upstream collection.
The Snowden documents show that the NSA runs these surveillance programs through partnerships with major US telecom and internet companies. Some of these relationships go back decades, others are more recent, in the wake of 9/11 and with the growth of the internet.
The division inside the NSA that deals with collection programs that focus on private companies is Special Source Operations, described by Snowden as the crown jewels of the NSA.
In one top document, published here for the first time, SSO spelled out the importance of these commercial relationships which come under the heading Corporate Partner Access.
In bald terms, it sets out its mission: Leverage unique key corporate partnerships to gain access to high-capacity international fiber-optic cables, switches and/or routes throughout the world.
Jeremy Scahill
As well as fiber-optic cables in the US, the NSA has access to data gathered by close intelligence partners such as Britains GCHQ.
The Snowden documents revealed the existence of Tempora, a program established in 2011 by GCHQ that gathers masses of phone and internet traffic by tapping into fiber-optic cables. GCHQ shares most of its information with the NSA.
___
.
Distance between ocean surface and floor not drawn to scale
As well as its upstream collection programs, the NSA also has Prism, which, according to the Snowden documents, is the biggest single contributor to its intelligence reports. It is a downstream program which means the agency collects the data from Google, Facebook, Apple, Yahoo and other US internet giants. One slide claims the agency has direct access to their servers, but this has been hotly disputed by the companies, who say they only comply with lawful requests for user data.
When the Guardian and the Washington Post revealed the existence of Prism the companies denied all knowledge of it and insisted that any co-operation with the intelligence agencies was compelled by law.
The names of many of the NSAs corporate partners are so sensitive that they are classified as ECI Exceptionally Controlled Information a higher classification level than the Snowden documents cover.
But some of the internet companies are named in the Special Source Operations briefing on Corporate Partner Access. A graphic comparing weekly reports involving the companies lists some of the Prism providers. Other companies on the list are protected by ECI covernames. Artifice, Lithium and Serenade are listed in other documents as covernames for SSO corporate partners, while Steelknight is described as an NSA partner facility.
This is the first time that data giving a sample of the number of intelligence records being generated per company has been published. It shows that over the period shown, June to July 2010, data from Yahoo generated by far the most NSA intelligence reports, followed by Microsoft, and then Google. All three companies are fighting through the courts to be allowed to release more detailed figures for the numbers of data requests they handle from US intelligence agencies.
Amie Stepanovich
Not all companies have complied. Ladar Levison, the founder of Lavabit a small, secure email provider used by Snowden suspended operations in August rather than comply with a warrant that would have allowed the US government access to the data of all Lavabits 400,000 customers.
In a statement defending its surveillance programs, the NSA said: What NSA does is collect the communications of targets of foreign intelligence value, irrespective of the provider that carries them. US service provider communications make use of the same information super highways as a variety of other commercial service providers. NSA must understand and take that into account in order to eliminate information that is not related to foreign intelligence.
NSA works with a number of partners and allies in meeting its foreign-intelligence mission goals, and in every case those operations comply with US law and with the applicable laws under which those partners and allies operate.
But some members of Congress, such as Lofgren, who represents a Silicon Valley district, are unconvinced. She warns that the programs not only undermine individual privacy, but threaten the reputations of major American telecom and internet companies.
More here:
NSA files decoded: Edward Snowden's surveillance revelations explained ...
Edward Snowden says he feels itch to scale back in to $16.5K Bitcoin
Bitcoin (BTC) returned to $16,500 at the Nov. 14 Wall Street open as bulls tried and failed to break higher.
Data from Cointelegraph Markets Pro and TradingView showed BTC/USD ranging below $17,000 on the day after a dismal weekly close.
The largest cryptocurrency had failed to show convincing signs of recovery after losing more than 25% the week prior thanks to the debacle around exchange FTX.
That debacle was ongoing at the time of writing, with revelations fanning out to include other firms with significant exposure to the defunct exchange.
With little light at the end of the tunnel visible, BTC price action remained unsurprisingly weak.
Markets consolidating, Michal van de Poppe, founder and CEO of trading platform Eight, summarized.
Trader and analyst Rekt Capital, meanwhile, warned of support-resistance flips in the making thanks to the weekly close, Bitcoins lowest in two years.
These are BTC Monthly levels shown on the Weekly timeframe, he tweeted alongside a chart of important focal levels.
Other posts on the day warned of the potential for additional downside wicking on BTC/USD while noting that historically, prior bear markets were still worse in terms of the pairs descent from cycle highs.
An interesting counterpoint came from Edward Snowden. In a tweet of his own, he signaled that he would be a BTC buyer at current levels, a sentiment he last publicly posted after the March 2020 COVID-19 cross-market crash.
Theres still a lot of trouble ahead, but for the first time in a while Im starting to feel the itch to scale back in, he stated.
A second tweet stressed that the previous one was not financial advice.
Stocks offered little respite to crypto bulls on the day, with the S&P 500 and Nasdaq Composite Index down 0.3% and 0.8%, respectively, during the first hour.
Related:Elon Musk says BTC will make it 5 things to know in Bitcoin this week
The U.S. dollar index (DXY) continued consolidation of its own while refusing to add to the prior weeks significant retracement.
Popular trading account Game of Trades noted that the daily charts relative strength index (RSI) for the DXY had set a new record low for 2022.
SPX is showing strength and DXY is crashing, a hopeful Bloodgood, another well-known Twitter trader, wrote in part of a fresh update on the day.
The views and opinions expressed here are solely those of the author and do not necessarily reflect the views of Cointelegraph.com. Every investment and trading move involves risk, you should conduct your own research when making a decision.
Go here to read the rest:
Edward Snowden says he feels itch to scale back in to $16.5K Bitcoin